Cyber criminals have devised a new method of stealing cash from ATMs without credit and debit cards. A new variety of malware Tyupkin malware discovered is believed to allow criminals withdraw large sums of money by simply typing in a code.

The incidence of emptying the cash machines using a code first came into light when Kaspersky Lab (1034431Z:) forensics investigation was called to inquire the matter following a request from a financial services company in Eastern Europe.

Over the past few years, we have observed a major uptick in ATM attacks using skimming devices and malicious software. Following major reports of skimmers hijacking financial data at banks around the world, we have seen a global law enforcement crackdown that led to the arrests and prosecution of cyber criminals. Now we are seeing the natural evolution of this threat with cyber criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs directly, or through direct advanced persistent threat (APT) attacks against the bank. The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure”, said Kaspersky Labs.

It was observed that the malware once installed on the ATM using a CD allowed attackers to empty the ATM cash cassettes. This however, is a 2 step process. Firs, gaining physical access to the ATM . Second, a unique code – randomly generated by an algorithm at a remote location – to unlock the machine and dispense the cash. When rebooted, the miscreant has control of the ATM and can withdraw 40 notes at a time.

Kaspersky noted, at the time of the investigation, the Tyupkin malware was active on over 50 ATMs in Eastern Europe and has likely spread to the adjoining areas and other countries, including the US, India and China. Kaspersky has warned banks to review the physical security of their ATMs and consider investing in security.